NSA Insisted Snowden Didn't Have Access To Actual Surveillance Data: But He Did... And It Shows How Much Non-Terrorist Content NSA Collects

from the lying-liars dept

Just a few days ago, the Privacy and Civil Liberties Oversight Board (PCLOB) more or less gave a pass to the Section 702 surveillance program by the NSA (approved by Section 702 of the FISA Amendments Act). This is the program that combines PRISM (basically court orders to internet companies for content) and Upstream (tapping fiber backbone to sniff basically all traffic) to collect communications (not just metadata) of "targets." For years, we've pointed out that the NSA defines "targets" differently than most everyone else does -- and people in the know, like Senator Ron Wyden, have been trying to warn us that the NSA defines "targets" in a manner that allows the NSA to spy on the communications of a very, very large number of innocent people. The PCLOB more or less admitted that they didn't actually see the details of what the NSA collected, but a newly analyzed trove of documents from Ed Snowden reveals the truth. While the program may actually be useful in discovering terrorist plots, it also appears to collect a ridiculous amount of data on people who clearly are not targets, and the NSA is incredibly lax about purging the database (so-called "minimization") of that unrelated information.

This latest report, written by Barton Gellman and Ashkan Soltani at the Washington Post, is important for a number of different reasons. First is that, for quite some time now, NSA insiders have insisted that while Snowden had access to papers and reports about the various surveillance programs, he never actually had access to the actual contents of the surveillance databases. That was clearly a lie. As the article notes:

As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.

And, of course, Snowden-haters have regularly mocked the claim he made in his very first interview that "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email." Many had used the fact that no such "FISA data" had been revealed, or even alluded to, as proof that Snowden was talking bigger than his actual position and supposedly, as an "IT guy," he didn't really have access to the same info that analysts could access. It is now clear that those people were lying. Snowden clearly had access to that data, and gave a sample to Gellman.

Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.

Of course, this makes it all the more concerning that the NSA has admitted it still has no idea what Snowden took. For all the talk of how carefully these programs are audited, can the NSA legitimately expect anyone to believe that others -- perhaps those with more nefarious intent -- haven't made off with the same kinds of content? The NSA (1) has admitted it doesn't know what Snowden took and (2) insisted he didn't have access to this data. Now that it's been proven he did have access to this data and gave it to journalists, it seems pretty damn clear that the NSA has no idea if anyone else took that same data as well -- or if they have been abusing the same access for more nefarious purposes (espionage, blackmail, you name it).

Meanwhile, the very same NSA attackers who insisted that Snowden didn't have access to the surveillance database have immediately ignored their old statements and now re-spun this story into how he was "reckless" in handling such sensitive data, Snowden explains that having a sample of this kind of data is incredibly important in letting the world know just how broad the 702 surveillance is:

In an interview, Snowden said “primary documents” offered the only path to a concrete debate about the costs and benefits of Section 702 surveillance. He did not favor public release of the full archive, he said, but he did not think a reporter could understand the programs “without being able to review some of that surveillance, both the justified and unjustified.”

Indeed, even for those of us who have been screaming loudly about how the NSA interpreted "target" differently than most people (including Congress) suspected, since long before Snowden leaked his documents, the detailed revelations here are eye opening about just how much information the NSA actually collects based on "targets."

Nine of 10 account holders... were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.

And, frequently, the information that the NSA retained on clearly non-targeted individuals was quite revealing. Remember that this is the actual content of communications, not "just metadata" (that's a different program).

Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.

[....]

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

This sample cache shows pretty clearly that anything even remotely close to a loosely defined "target" (which could be a computer rather than a person) gets collected and stored:

If a target entered an online chat room, the NSA collected the words and identities of every person who posted there, regardless of subject, as well as every person who simply “lurked,” reading passively what other people wrote.

“1 target, 38 others on there,” one analyst wrote. She collected data on them all.

In other cases, the NSA designated as its target the Internet protocol, or IP, address of a computer server used by hundreds of people.

You may recall that, all the way back in 2011, we were reporting on Senators Ron Wyden and Mark Udall asking James Clapper how many Americans were being spied upon under Section 702 of the FISA Amendments Act and being told it was impossible to estimate such a number. Here, Gellman and Soltani use what they've found in the cache to give the estimate that the NSA/ODNI would not:

The NSA, backed by Director of National Intelligence James R. Clapper Jr., has asserted that it is unable to make any estimate, even in classified form, of the number of Americans swept in. It is not obvious why the NSA could not offer at least a partial count, given that its analysts routinely pick out “U.S. persons” and mask their identities, in most cases, before distributing intelligence reports.

If Snowden’s sample is representative, the population under scrutiny in the PRISM and Upstream programs is far larger than the government has suggested. In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.

The report also highlights the cavalier attitude by NSA analysts in determining what to keep and what to "minimize." Section 702 certainly gave the NSA a lot more leeway to spy on Americans, and NSA analysts are making quite a lot of use of that leeway.

In their classified internal communications, colleagues and supervisors often remind the analysts that PRISM and Upstream collection have a “lower threshold for foreignness ‘standard of proof’ ” than a traditional surveillance warrant from a FISA judge, requiring only a “reasonable belief” and not probable cause.

One analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language, a quality shared by tens of millions of Americans. Others are allowed to presume that anyone on the chat “buddy list” of a known foreign national is also foreign.

Basically, it appears that if an analyst can come up with any reason they can justify claiming someone is "foreign," they can use it, even if they know the person is actually a US person. And because the NSA knows they have much greater power to spy under Section 702, they often shift investigations over to put them under this authority since they can get away with more:

In an ordinary FISA surveillance application, the judge grants a warrant and requires a fresh review of probable cause — and the content of collected surveillance — every 90 days. When renewal fails, NSA and allied analysts sometimes switch to the more lenient standards of PRISM and Upstream.

“These selectors were previously under FISA warrant but the warrants have expired,” one analyst writes, requesting that surveillance resume under the looser standards of Section 702. The request was granted.

The report is quite damning in revealing two things that the NSA has tried to hide: First, Snowden clearly had widespread access to the surveillance database content, despite strong claims that he did not. Second, that the database includes a ton of information on people not "targeted" and that such information outweighs info on targets by a factor of 9 to 1.

While they all pretended he crippled them, they said he didn't have the access to those things that don't exist.Except he did, those records do exist, and all of the people shouted down for wearing tinfoil hats now look like they could see the future.

These programs have no oversight. Those charged with providing oversight have abdicated that role, instead wrapping themselves up in the comforting blanket of they only do it to bad people. Sadly unless you are part of the spying, you are the bad people.

Sadly people will get distracted by what stupid thing some star did over the weekend, rather than forcing white hot rage at the leaders who have sold out the entire foundation the country was founded on. Because they are reading your posts, and misfortune hits those who dare speak out.

I wonder if fiber-optic taps on internet backbones are considered "targets". That's a surefire way to maximize the amount of "incidentally" collected data. If I was trying to collect it all, that's what I'd do.

What are we supposed to think? Everything we've been told by US officials has turned out to be nothing but lies. Like saying only metadata is collected. Now we're finding out baby pictures and other types of content are being collected and stored indefinitely. Without a warrant.

Seizing and searching the content of American communications is unconstitutional. These NSA programs are illegal.

encryption

If I have several different encryption programs, and I encrypt my document in method A, then take the results of that and encrypt with method B and then take those results and encrypt in method C, I doubt anyone could decrypt the results, unless they had a hint of the programs used and the sequence they were used. Is there a flaw in this idea?

Maybe he didn't have access to that data. Lets not forget that he talked to people about how the public would feel to learn about these programs, etc. Maybe he had help and he is trying to protect those persons that helped him.

While it may sounds like what I am saying is that the NSA mouths aren't lying to us after all, what I am really saying is that maybe they really will never have any idea what he actually took or had access to indirectly. They may very well have a much larger problem on their hands than they realize at NSA. Snowden could be the tip of the ice-burg.

It gets even better ... NSA did not "lie"

Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about "raw" intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.“We have talked about the very strict controls on raw traffic..." Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”

Silly intelligence committee members. They should have specifically asked about access to processed content.

Which database?

Alexander insists that Snowden didn't have access to the database. Maybe he was right: Maybe Snowden had access to A database, but not THE database Alexander was thinking of.

So maybe Snowden's revelation is just the tip of the iceberg. (As usual.)

Also, remember the disclosure last week that they were using first order contacts of targets as targets. Therefore, the correct total above (using the 9:1 ratio) is 89000x9x9, or 7.2 million people...and that was just the one request.

it seems pretty damn clear that the NSA has no idea if anyone else took that same data as well -- or if they have been abusing the same access for more nefarious purposes (espionage, blackmail, you name it)

We already know they have. Remember those articles about "LOVEINT"? That's basically stalking in some cases.

Re: Re:

Re:

More like, corporations are now people and since people can be targets, target the corporation that has a foreign employees that they can claim aren't extended 4th amendment protections instead of the individuals and any employees that are US citizens are incidental accidents that are "unwittingly" swept up in the collection. Also use the number of hops excuse to justify this collection as well.

Re: It's times like these

Bitch-slapping isn't enough. We need codified accountability thru criminal statutes that have significant penalties for civil rights violations of this nature and then they need to be prosecuted under such statutes.

Re: Re:

That would be a terrifying prospect: Any company making deals abroad is of interest because of their foreign contacts. Make that universal to cover single persons and you have plenty justification for collecting data on yourself for posting on this forum. It doesn't take much to get into a situation where every person in the world has a suspect-dossier in NSAs archives if that is the case.

You may be able to reduce the count by setting stricter standards for what is needed to define a foreign suspect, but then "collect it all" is a terrible strategy... It seems to me, that giving people the option of getting a gps-chip implanted in the neck and a camera in the forehead and have them maintained regularly, setting up for DNA, iris scan, facial scan, finger printing and a long interview or having NSA haunt you for life would make people choose something closer to Minority Report than 1984...

Re:

Airport security in USA has been strenghtened to: Computers and Smartphones has to be able to be turned on in the airport for you to get on a plane... It looks more like a counter-Miranda action than a counter to "invisible bombs".

Re: children and dinosaurs

This. Issues around domestic spying aside, I am utterly amazed at the lack of professionalism that the leaked documents have revealed. It looks for all the world like the NSA just went out and hired a bunch of script kiddies. Even if there were no constitutional issues with the programs, this would be enough of a reason to scream for reform.

When are we going to hear the following?

"While the U.S. constitution and human rights are not explicitly targeted for elimination, they are not merely within two hops of terrorists but are indeed actively aiding and abetting enemies of the United States. Consequently we are not willing to take any measures preventing those traitors from becoming collateral damage in targeted operations."

Protest

US citizens have no representation in this matter, because it's unlikely your congressperson is privy to the details of the affairs of the NSA or the secret court that enables it. Remember what the founders did when they felt they lacked representation? Rightly, US citizens—and everyone else caught up in this illegal dragnet surveillance—should be dumping something in a harbor. This upcoming September 11th would be a great day to protest with a march on your respective capitals. Without displays of unrest, we're just going to continue to see our rights erode.

"We know through painful experience that freedom is never voluntarily given by the oppressor; it must be demanded by the oppressed." – Martin Luther King, Jr.

Re: encryption

Here's what the NSA would probably do..

1) They would bruteforce your file until it cracks, 2)It´s possible that a backdoor was implemented into your encryption software that allows NSA access 3) If you plan to send the file to someone, then they would most likely hack the receiver of that file, and wait until the file is decrypted and, then either copy the entire clipboard while the receiver reads the file or download the file directly when opened. 4) They proably have software that easily can identify the encryption algoritm used. A walk in the park for these guys :)

Re: It gets even better ... NSA did not "lie"

The problem with an agency not being direct and open is that it kills any trust that was previously had in that agency.

By NSA agents responding to deposition questions evasively, it presents evidence that they have no intention of giving direct, truthful answers, and that implies that they are operating beyond what would be acceptable parameters for such an agency, were those parameters made public.

We cannot ever trust the NSA again. We may not be able to trust any future NSA-like state entity again.

Re: Re: encryption

My bet would be a modified version of 3):Send a team to install a snooper on the computer, hack the computer or install an ex situ device to monitor the computer or several of the above to have some redundance. Preferably it is done with a warrent, but the point is that if the computer is turned on, it is possible to monitor the activity on it, whether it is online or not. Encryption may help with the online surveillance programs, but the computer will always be possible to gain access to through FBI/CIA if they really want to spend the money on it...

Re: Re: Re:

Now that I think about it, maybe it can be flipped around. Since corporations are now people, US corporations could be considered US persons. And US persons have a 4th amendment right against unreasonable search and seizure without a warrant issued describing the items and places to be searched based on probable cause presented under oath. That would mean that a simple subpoena or NSL is not enough to compel compliance with the request for information in possession of the company. The company can simply tell them that they need to come back with a warrant.

Re: Re: Re: Re:

Re: Which database?

His words are likely meant to represent a lobbyists work to signal that NSA can handle their stuff, keep stopping legislation to improve oversight!

As usual the comments from NSA are not well-formulated and the problematic part is mainly that they seem to err on the side of security through obscurity and try to hide even completely unproblematic details in much broader terms to make people think they do more and better work than is really happening. It is basic hoodwinking, but these kinds of misleading lobbyist answers are apparently not illegal since clarification can make them into non-lies...

Re: Re: It's times like these

Re: Re:

That policy's been around for decades, and it's not got much to do with surveillance. Strip out all the interior workings of a laptop and you could stuff it full of enough Semtex to make one hell of a mess of an airliner, or a few grand's worth of cocaine.

Re:

Bruce Schneier has recently written, based on recent NSA news reports apparently not inspired by any known Snowden docs, that there is reason to believe that there is another possibly independent leaker at large.